Inappropriate Access to Patient Records Spanned 14 Years

Inappropriate access to electronic patient records by a clerk for 14 years at a state-run psychiatric facility in Massachusetts shows just how difficult it can be to detect and prevent long-term breaches involving insiders.

"These are the hardest cases to detect if you are still trying to audit manually or with a tool that only looks for compliance violations," says Mac McMillan, president of the security consultancy CynergisTek. "This is the kind of incident that demonstrates the need for behavioral-based monitoring that is capable of sorting through so much more data to identify inappropriate activity."

"Individuals who may be affected include people who were patients at Tewksbury Hospital from 2003 through May 2017," the statement says. Approximately 1,100 patients were impacted by the records snooping.

The health department says it's providing written notice to affected patients in addition to posting the notice on its website.

The 370-bed Tewksbury Hospital includes approximately 220 beds for "complex chronic" medical adult patients who reside in seven inpatient units, and 150 for psychiatric clients in five inpatient units. The hospital also accommodates offices for five state agencies.

Breach Discovery

The breach was discovered in April when a former patient expressed concern that someone may have accessed their electronic medical record inappropriately, the health department's notice says.

"A review conducted in response to this complaint revealed that one hospital employee appeared to have accessed the former patient's records without a good reason to do so. This discovery led to a broader review of the employee's use of the electronic medical records system at Tewksbury Hospital," the statement says. "As a result of this review, we were able to determine that the employee appeared to have inappropriately accessed the records of a number of current and former Tewksbury Hospital patients."

The information that was inappropriately viewed included names, addresses, phone numbers, dates of birth, diagnoses and other information about medical treatment at Tewksbury Hospital. For some individuals, it may also have included a Social Security number.

The health department says that so far, it has discovered no evidence that any of that patient information was misused. But it's advising affected individuals to "order a credit report and review it for any signs of fraud on any accounts." It is not offering free credit monitoring.

Steps Being Taken

The department declined to comment on how the former patient who complained about inappropriate access by the hospital worker discovered the breach. "We are not providing details due to patient confidentiality," says the department in a statement provided to Information Security Media Group.

While the employee at the center of the case is no longer working at the hospital, the department of health declined to comment on whether the worker was terminated. "State law prohibits us from disclosing any information related to personnel matters," the department says.

"To reduce the chance of future incidents like this occurring, we are reviewing our policies regarding access to the electronic medical records system," the department says in the statement provided to ISMG. "We are also re-assessing how we review our workforce members' use of the electronic medical records system, and we will be reviewing the training we provide to all workforce members regarding the privacy and security of confidential information."

Common Problem?

While incidents that involve insiders accessing hundreds or even thousands of patient records over a brief period of time potentially throw out red flags, some experts says it can be trickier to detect insiders who inappropriately access smaller numbers of patient records over longer stretches of time.

"This unfortunately happens all the time as we have organizations who have not recognized the investment in privacy monitoring they must take to avoid this activity or have not embraced their responsibility to put effective controls in place," says McMillan of CynergisTek.

Privacy attorney Kirk Nahra of the law firm Wiley Rein, notes: "We have seen a broad variety of cases involving insider misuse. While companies need to pay a lot of attention to this issue, it is also very hard to stop entirely. As in this case, it is critical not only to try to stop this from occurring, but, recognizing how hard that is, companies need an effective way to investigate issues or review potential problems."

Organizations need to be very alert for indications of potential security problems and act quickly to address them, Nahra says. "Here, there is no clear indication of why this was happening. If an individual hospital worker simply looks at records, very occasionally, it is virtually impossible to prevent - except through means that may make it too hard to operate the business," he says. "It is analogous to a situation you see a lot involving healthcare fraud - it is easy to steal a little over a long time. The people who get caught try to steal too much too soon."

Kate Borten, president of privacy and security consulting firm The Marblehead Group, says insider snooping remains a big problem for many healthcare entities. "While other industries subject to insider snooping have been able to implement certain controls, this is elusive and challenging for provider organizations," she says.

"No software algorithm can accurately predict when a user needs to access a patient record for work-related reasons. Snooping may become less common with more sophisticated software and processes and with more serious attention to sanctions," she notes. Also, all organizations should limit access permissions to the least necessary, she says.

McMillan suggests that the use of some advanced monitoring software can help detect many smaller incidents before they grow into bigger breaches.

Healthcare entities should consider investing in "a behavioral-based monitoring solution or managed privacy monitoring service capable of detecting even small deviations from appropriate activity more proactively providing early warning so the right actions can be taken to stop it," McMillan says. "The beauty of behavioral-based monitors is that they don't care if it is just once - if it is not appropriate, they report."

About the Author

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;